Network Security with OpenSSL

Book description

Most applications these days are at least somewhat network aware, but how do you protect those applications against common network security threats? Many developers are turning to OpenSSL, an open source version of SSL/TLS, which is the most widely used protocol for secure network communications.The OpenSSL library is seeing widespread adoption for web sites that require cryptographic functions to protect a broad range of sensitive information, such as credit card numbers and other financial transactions. The library is the only free, full-featured SSL implementation for C and C++, and it can be used programmatically or from the command line to secure most TCP-based network protocols.Network Security with OpenSSL enables developers to use this protocol much more effectively. Traditionally, getting something simple done in OpenSSL could easily take weeks. This concise book gives you the guidance you need to avoid pitfalls, while allowing you to take advantage of the library?s advanced features. And, instead of bogging you down in the technical details of how SSL works under the hood, this book provides only the information that is necessary to use OpenSSL safely and effectively. In step-by-step fashion, the book details the challenges in securing network communications, and shows you how to use OpenSSL tools to best meet those challenges.As a system or network administrator, you will benefit from the thorough treatment of the OpenSSL command-line interface, as well as from step-by-step directions for obtaining certificates and setting up your own certification authority. As a developer, you will further benefit from the in-depth discussions and examples of how to use OpenSSL in your own programs. Although OpenSSL is written in C, information on how to use OpenSSL with Perl, Python and PHP is also included.OpenSSL may well answer your need to protect sensitive data. If that?s the case, Network Security with OpenSSL is the only guide available on the subject.

Publisher resources

View/Submit Errata

Table of contents

  1. Dedication
  2. A Note Regarding Supplemental Files
  3. Preface
    1. About This Book
    2. Conventions Used in This Book
    3. Comments and Questions
    4. Acknowledgments
  4. 1. Introduction
    1. 1.1. Cryptography for the Rest of Us
      1. 1.1.1. Goals of Cryptography
      2. 1.1.2. Cryptographic Algorithms
        1. 1.1.2.1. Symmetric key encryption
        2. 1.1.2.2. Public key encryption
        3. 1.1.2.3. Cryptographic hash functions and Message Authentication Codes
        4. 1.1.2.4. Digital signatures
    2. 1.2. Overview of SSL
    3. 1.3. Problems with SSL
      1. 1.3.1. Efficiency
        1. 1.3.1.1. Cryptographic acceleration hardware
        2. 1.3.1.2. Load balancing
      2. 1.3.2. Keys in the Clear
      3. 1.3.3. Bad Server Credentials
      4. 1.3.4. Certificate Validation
      5. 1.3.5. Poor Entropy
      6. 1.3.6. Insecure Cryptography
    4. 1.4. What SSL Doesn’t Do Well
      1. 1.4.1. Other Transport Layer Protocols
      2. 1.4.2. Non-Repudiation
      3. 1.4.3. Protection Against Software Flaws
      4. 1.4.4. General-Purpose Data Security
    5. 1.5. OpenSSL Basics
    6. 1.6. Securing Third-Party Software
      1. 1.6.1. Server-Side Proxies
      2. 1.6.2. Client-Side Proxies
  5. 2. Command-Line Interface
    1. 2.1. The Basics
      1. 2.1.1. Configuration Files
    2. 2.2. Message Digest Algorithms
      1. 2.2.1. Examples
    3. 2.3. Symmetric Ciphers
      1. 2.3.1. Examples
    4. 2.4. Public Key Cryptography
      1. 2.4.1. Diffie-Hellman
        1. 2.4.1.1. Examples
      2. 2.4.2. Digital Signature Algorithm
        1. 2.4.2.1. Examples
      3. 2.4.3. RSA
        1. 2.4.3.1. Examples
    5. 2.5. S/MIME
      1. 2.5.1. Examples
    6. 2.6. Passwords and Passphrases
    7. 2.7. Seeding the Pseudorandom Number Generator
  6. 3. Public Key Infrastructure (PKI)
    1. 3.1. Certificates
      1. 3.1.1. Certification Authorities
        1. 3.1.1.1. Private Certification Authorities
        2. 3.1.1.2. Public Certification Authorities
      2. 3.1.2. Certificate Hierarchies
      3. 3.1.3. Certificate Extensions
      4. 3.1.4. Certificate Revocation Lists
      5. 3.1.5. Online Certificate Status Protocol
    2. 3.2. Obtaining a Certificate
      1. 3.2.1. Personal Certificates
      2. 3.2.2. Code-Signing Certificates
      3. 3.2.3. Web Site Certificates
    3. 3.3. Setting Up a Certification Authority
      1. 3.3.1. Creating an Environment for Your Certification Authority
      2. 3.3.2. Building an OpenSSL Configuration File
      3. 3.3.3. Creating a Self-Signed Root Certificate
      4. 3.3.4. Issuing Certificates
      5. 3.3.5. Revoking Certificates
  7. 4. Support Infrastructure
    1. 4.1. Multithread Support
      1. 4.1.1. Static Locking Callbacks
      2. 4.1.2. Dynamic Locking Callbacks
    2. 4.2. Internal Error Handling
      1. 4.2.1. Manipulating Error Queues
      2. 4.2.2. Human-Readable Error Messages
      3. 4.2.3. Threading and Practical Applications
    3. 4.3. Abstract Input/Output
      1. 4.3.1. Source/Sink BIOs
        1. 4.3.1.1. Memory sources/sinks
        2. 4.3.1.2. File sources/sinks
        3. 4.3.1.3. Socket sources/sinks
        4. 4.3.1.4. BIO pairs
      2. 4.3.2. Filter BIOs
    4. 4.4. Random Number Generation
      1. 4.4.1. Seeding the PRNG
      2. 4.4.2. Using an Alternate Entropy Source
    5. 4.5. Arbitrary Precision Math
      1. 4.5.1. The Basics
      2. 4.5.2. Mathematical Operations
      3. 4.5.3. Generating Prime Numbers
    6. 4.6. Using Engines
  8. 5. SSL/TLS Programming
    1. 5.1. Programming with SSL
      1. 5.1.1. The Application(s) to Secure
      2. 5.1.2. Step 1: SSL Version Selection and Certificate Preparation
        1. 5.1.2.1. Background
        2. 5.1.2.2. Certificate preparation
        3. 5.1.2.3. Our example extended
      3. 5.1.3. Step 2: Peer Authentication
        1. 5.1.3.1. Background
        2. 5.1.3.2. Incorporating trusted certificates
        3. 5.1.3.3. Certificate verification
        4. 5.1.3.4. Incorporating certificate revocation lists
        5. 5.1.3.5. Post-connection assertions
        6. 5.1.3.6. Further extension of the examples
      4. 5.1.4. Step 3: SSL Options and Cipher Suites
        1. 5.1.4.1. Setting SSL options
        2. 5.1.4.2. Ephemeral keying
        3. 5.1.4.3. Cipher suite selection
        4. 5.1.4.4. The final product
        5. 5.1.4.5. Beyond the example
    2. 5.2. Advanced Programming with SSL
      1. 5.2.1. SSL Session Caching
        1. 5.2.1.1. Client-side SSL sessions
        2. 5.2.1.2. Server-side SSL sessions
        3. 5.2.1.3. An on-disk, session caching framework
      2. 5.2.2. I/O on SSL Connections
        1. 5.2.2.1. Reading and writing functions
        2. 5.2.2.2. Blocking I/O
        3. 5.2.2.3. Non-blocking I/O
      3. 5.2.3. SSL Renegotiations
        1. 5.2.3.1. Implementing renegotiations
        2. 5.2.3.2. Renegotiations in 0.9.7
        3. 5.2.3.3. Further notes
  9. 6. Symmetric Cryptography
    1. 6.1. Concepts in Symmetric Cryptography
      1. 6.1.1. Block Ciphers and Stream Ciphers
      2. 6.1.2. Basic Block Cipher Modes
    2. 6.2. Encrypting with the EVP API
      1. 6.2.1. Available Ciphers
        1. 6.2.1.1. AES
        2. 6.2.1.2. Blowfish
        3. 6.2.1.3. CAST5
        4. 6.2.1.4. DES
        5. 6.2.1.5. DESX
        6. 6.2.1.6. Triple DES
        7. 6.2.1.7. IDEA
        8. 6.2.1.8. RC2™
        9. 6.2.1.9. RC4™
        10. 6.2.1.10. RC5™
      2. 6.2.2. Initializing Symmetric Ciphers
      3. 6.2.3. Specifying Key Length and Other Options
      4. 6.2.4. Encryption
      5. 6.2.5. Decryption
      6. 6.2.6. Handling UDP Traffic with Counter Mode
    3. 6.3. General Recommendations
  10. 7. Hashes and MACs
    1. 7.1. Overview of Hashes and MACs
    2. 7.2. Hashing with the EVP API
    3. 7.3. Using MACs
      1. 7.3.1. Other MACs
        1. 7.3.1.1. CBC-MAC
        2. 7.3.1.2. XCBC-MAC
        3. 7.3.1.3. XOR-MAC
        4. 7.3.1.4. UMAC
    4. 7.4. Secure HTTP Cookies
  11. 8. Public Key Algorithms
    1. 8.1. When to Use Public Key Cryptography
    2. 8.2. Diffie-Hellman
      1. 8.2.1. The Basics
      2. 8.2.2. Generating and Exchanging Parameters
      3. 8.2.3. Computing Shared Secrets
      4. 8.2.4. Practical Applications
    3. 8.3. Digital Signature Algorithm (DSA)
      1. 8.3.1. The Basics
      2. 8.3.2. Generating Parameters and Keys
      3. 8.3.3. Signing and Verifying
      4. 8.3.4. Practical Applications
    4. 8.4. RSA
      1. 8.4.1. The Basics
      2. 8.4.2. Generating Keys
      3. 8.4.3. Data Encryption, Key Agreement, and Key Transport
      4. 8.4.4. Signing and Verifying
      5. 8.4.5. Practical Applications
    5. 8.5. The EVP Public Key Interface
      1. 8.5.1. Signing and Verifying
      2. 8.5.2. Encrypting and Decrypting
    6. 8.6. Encoding and Decoding Objects
      1. 8.6.1. Writing and Reading DER-Encoded Objects
      2. 8.6.2. Writing and Reading PEM-Encoded Objects
  12. 9. OpenSSL in Other Languages
    1. 9.1. Net::SSLeay for Perl
      1. 9.1.1. Net::SSLeay Variables
      2. 9.1.2. Net::SSLeay Error Handling
      3. 9.1.3. Net::SSLeay Utility Functions
      4. 9.1.4. Net::SSLeay Low-Level Bindings
    2. 9.2. M2Crypto for Python
      1. 9.2.1. Low-Level Bindings
      2. 9.2.2. High-Level Classes
        1. 9.2.2.1. M2Crypto.SSL
        2. 9.2.2.2. M2Crypto.BIO
        3. 9.2.2.3. M2Crypto.EVP
        4. 9.2.2.4. Miscellaneous crypto
      3. 9.2.3. Python Module Extensions
        1. 9.2.3.1. Extensions to httplib: httpslib
        2. 9.2.3.2. Extensions to urllib: m2urllib
        3. 9.2.3.3. Extensions to xmlrpclib: m2xmlrpclib
    3. 9.3. OpenSSL Support in PHP
      1. 9.3.1. General Functions
      2. 9.3.2. Certificate Functions
      3. 9.3.3. Encryption and Signing Functions
      4. 9.3.4. PKCS#7 (S/MIME) Functions
  13. 10. Advanced Programming Topics
    1. 10.1. Object Stacks
    2. 10.2. Configuration Files
    3. 10.3. X.509
      1. 10.3.1. Generating Requests
        1. 10.3.1.1. Subject name
        2. 10.3.1.2. X.509 Version 3 extensions
        3. 10.3.1.3. Putting it all together
      2. 10.3.2. Making Certificates
      3. 10.3.3. X.509 Certificate Checking
    4. 10.4. PKCS#7 and S/MIME
      1. 10.4.1. Signing and Verifying
      2. 10.4.2. Encrypting and Decrypting
      3. 10.4.3. Combined Operations
      4. 10.4.4. PKCS#7 Flags
    5. 10.5. PKCS#12
      1. 10.5.1. Wrapping Information into a PKCS#12 Object
      2. 10.5.2. Importing Objects from PKCS#12 Data
  14. A. Command-Line Reference
    1. asn1parse
    2. ca
    3. ciphers
    4. crl
    5. crl2pkcs7
    6. dgst
    7. dhparam
    8. dsa
    9. dsaparam
    10. enc
    11. errstr
    12. gendsa
    13. genrsa
    14. nseq
    15. passwd
    16. pkcs7
    17. pkcs8
    18. pkcs12
    19. rand
    20. req
    21. rsa
    22. rsautl
    23. s_client
    24. s_server
    25. s_time
    26. sess_id
    27. smime
    28. speed
    29. spkac
    30. verify
    31. version
    32. x509
  15. Index
  16. About the Authors
  17. Colophon
  18. Copyright

Product information

  • Title: Network Security with OpenSSL
  • Author(s): John Viega, Matt Messier, Pravir Chandra
  • Release date: June 2002
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9780596002701